As @cottsay mentioned the current instructions should be valid.
We’ve seen that some gpg implementations don’t import new keys to replace existing keys even if the existing key has expired.
But for simplicity of the deployment for users I’ve also updated the gpg key deployment to use the simpler https syntax from: ROS GPG Key Expiration Incident